An Introduction to Cyber Essentials and Cyber Essentials Plus

Cyber Essentials is a government-backed cyber security certification scheme which was established to ensure organisations which sore, manage and share sensitive data (i.e. almost every organisation) have basic, foundational cyber security measures implemented to protect this data.  Cyber Essentials certification also helps organisations protect themselves from cyber criminals and the techniques they employ to compromise organisations’ IT systems, such as ransomware, by requiring them to implement controls across five key technical control areas; access control, safe configurations, patch management, firewalls and malware prevention.  Since it was established in June 2014, the National Cyber Security Centre (NCSC) has managed the delivery of the scheme and, so far, over 30,000 certifications have been awarded.  

What Does Cyber Essentials Certification Protect Against? 

The primary objective of the scheme is to maintain the confidentiality, integrity and availability (also known as ‘CIA’ or the ‘security triad’) of organisations’ data against internet-based cyber threats which require limited technical expertise, and, by certifying to the scheme, your organisation will be protected against 80% of the most common cyber attacks.  These attacks include phishing, hacking and password guessing.  

It’s important to note that Cyber Essentials should not be looked at as a complete cyber security strategy.  The scheme was designed to be an accessible starting point for organisations looking to improve their cyber security posture which, despite protecting against the most common cyber threats, does not protect against more sophisticated malicious actors and attacks.  Instead, you should approach Cyber Essentials as a strong foundation of cyber security measures which you can then build on when you have the resources available to do so.   

However, although Cyber Essentials certification should be implemented with the aim of eventually expanding your cyber security measures to safeguard your organisation against more advanced forms of attack, the certification is not without its advantages.  By certifying, your organisation will demonstrate its dedication to maintaining cyber security and ensuring the continued security of data sharing between you and your suppliers, clients and partners.  As well as this, you will almost always needs to be Cyber Essentials certified in order to bid on government contracts.  For most Ministry of Defence contracts, you will need to be certified to Cyber Essentials Plus, the scheme’s higher qualification (more on this later).  

What Five Technical Controls Do you Need to Implement? 

Safe configurations – Rather than using the ‘default’ configuration settings on hardware and software, which are often easier for attackers to exploit, select the most secure settings available.  This includes removing unnecessary software and user accounts, updating automatic passwords so that they’re harder to guess, disabling auto-run features, and authenticating users before they can gain internet-based access to sensitive data.  

Firewalls – Cyber Essentials certification requires you to protect all in scope, internet-connected devices with a firewall, creating a ‘buffer’ between your devices and the internet.  Firewalls can be either software or a physical device, however for more complicated systems with a number of different devices, the latter is generally more effective.  

Patch management – This control theme requires you to keep all device operating systems and installed software and apps updated.  Manufacturers and developers regularly release updates which, alongside improving performance and adding new features, will amend any vulnerabilities that have been identifying – this is known as ‘patching’.  To certify to Cyber Essentials, your organisation will need to ensure all software is licensed and supported, removed from devices when no longer supported, and that all patches described by the manufacturer as ‘critical’ or ‘high risk’ are installed within 14 days.  

Access controls – User accounts, including staff accounts, should only have enough access to software, settings, online services, and device connectivity functions to perform their job role.  If an account is compromised, effective access controls will minimise the amount of damage an attacker can do, and the amount of sensitive data they can access.  

Malware protection – Malware, such as a virus or ransomware, is software or web content that is designed to cause damage.  Cyber Essentials requires you to implement protections against malware, including antivirus software, only downloading apps on mobile devices from manufacturer approved stores (e.g. Apple App Store or Google Play), or running apps and programs in a ‘sandbox’. 

Selecting a Cyber Essentials Certification Level 

All Cyber Essentials certifications, regardless of which certification level you choose, must be facilitated by an accredited certification body, such as URM.  If you decide to certify against Cyber Essentials, the accredited certification body you select will provide you with a self-assessment questionnaire (SAQ) to complete, which will need to be accompanied by a declaration, signed by a board-level member of your organisation.  After an assessor has reviewed your questionnaire, you will be informed about whether you have passed or not and, if successful, provided with your certification.  This level of certification is ideal for small organisations looking to demonstrate that they have the appropriate, essential security controls in place.  

Cyber Essentials Plus, meanwhile, has exactly the same requirements as Cyber Essentials, but is assessed slightly differently.  Where Cyber Essentials certification only relies on you self-reporting your adherence to the requirements, Cyber Essentials Plus certification necessitates an external review of your security controls to confirm that you have implemented them.  Your assessor will conduct a technical audit of your in-scope systems by looking at a sample of your organisation’s devices.  A vulnerability scan is performed on the sample devices and your email client and internet browsers will also be tested, and the information collected will be used to inform any necessary corrective actions.  While the certification process for Cyber Essentials Plus is slightly more involved than for Cyber Essentials, it is worth the extra effort, providing further assurance to stakeholders of your effective implementation of these essential technical controls.  

How URM can Help 

As both an accredited certification body and an Assured Service Provider under the NCSC’s Cyber Advisor scheme, URM is ideally placed to both help your organisation prepare for Cyber Essentials and facilitate your assessment.  Not only does our large team of assessors allow us to guarantee a quick turnaround, but our extensive cyber security experience means we have the knowledge and expertise necessary to support you through every stage of the Cyber Essentials certification process.